airflow
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection because it processes untrusted data from the Airflow environment. Ingestion points: Tools such as
get_dag_source_codeandanalyse_dag_latest_run(which includes task logs and source) ingest external content into the agent's context. Boundary markers: The instructions lack any delimiters or warnings to the agent to ignore instructions embedded in the source code or logs. Capability inventory: The skill has the capability to trigger runs (trigger_dag_run) and modify DAG states (pause_dag), which could be misused if the agent obeys instructions in the ingested data. Sanitization: No sanitization or validation of the fetched content is performed before processing. - [DATA_EXFILTRATION] (LOW): The skill provides access to high-value information through tools like
go_to_connections_viewandgo_to_variables_view. While these are part of the intended management capability, they expose sensitive credentials and environment variables to the agent. - [COMMAND_EXECUTION] (LOW): The
trigger_dag_runtool allows the agent to initiate execution within the Airflow environment, representing a powerful capability that requires careful control over the agent's inputs.
Audit Metadata